== Why is this an issue? include::../description.adoc[] === Noncompliant code example Using https://github.com/jwtk/jjwt[jwtk/Java JWT] library (to verify a signed token (containing a JWS) don't use the ``++parse++`` method as it doesn't throw an exception if an unsigned token is provided): [source,java] ---- // Signing: io.jsonwebtoken.Jwts.builder() // Noncompliant, token is not signed. .setSubject(USER_LOGIN) .compact(); // Verifying: io.jsonwebtoken.Jwts.parser().setSigningKey(SECRET_KEY).parse(token).getBody(); // Noncompliant ---- Using https://github.com/auth0/java-jwt[auth0/Java JWT] library: [source,java] ---- // Signing: com.auth0.jwt.JWT.create() .withSubject(SUBJECT) .sign(Algorithm.none()); // Noncompliant, use only strong cipher algorithms when signing this JWT. // Verifying: JWTVerifier nonCompliantVerifier = com.auth0.jwt.JWT.require(Algorithm.none()) // Noncompliant .withSubject(LOGIN) .build(); ---- === Compliant solution Using https://github.com/jwtk/jjwt[Java JWT] library (to verify a signed token (containing a JWS) use the ``++parseClaimsJws++`` method that will throw an exception if an unsigned token is provided): [source,java] ---- // Signing: Jwts.builder() // Compliant .setSubject(USER_LOGIN) .signWith(SignatureAlgorithm.HS256, SECRET_KEY) .compact(); // Verifying: Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody(); // Compliant ---- Using https://github.com/auth0/java-jwt[auth0/Java JWT] library. I [source,java] ---- // Signing: JWT.create() .withSubject(SUBJECT) .sign(Algorithm.HMAC256(SECRET_KEY)); // Compliant // Verifying: JWTVerifier nonCompliantVerifier = JWT.require(Algorithm.HMAC256(SECRET_KEY)) // Compliant .withSubject(LOGIN) .build(); ---- include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] ''' == Comments And Links (visible only on this page) include::../comments-and-links.adoc[] endif::env-github,rspecator-view[]